(LiveHacking.Com) – Apple has released a massive set of security fixes to address vulnerabilities in OS X, iOS, Safari, and Apple TV. The update for OS X is largest of all the patches and addresses 80 unique vulnerabilities. The OS X Yosemite v10.10.3 update is available for OS X Yosemite v10.10 to v10.10.2, while Security Update 2015-004 is available for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5.

Of particular interest is a fix to several CVEs raised by Ian Beer of Google Project Zero. Multiple input validation issues existed in fontd, and as a result a local user may be able to execute arbitrary code with system privileges.

Apple also fixed a use-after-free issue that existed in CoreAnimation, an input validation issue that existed within OS X’s URL processing, and a memory corruption issue that existed in WebKit. Because of these, visiting a maliciously crafted website could have led to arbitrary code execution.

Apple also update the bundled version of Apache in OS X. Multiple vulnerabilities existed in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. These issues were addressed by updating Apache to versions 2.4.10 and 2.2.29.

Likewise it also updated the bundled version of PHP. Multiple vulnerabilities existed in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may have led to arbitrary code execution. This update addresses the issues by updating PHP to versions 5.3.29, 5.4.38, and 5.5.20.

A security vulnerability in the Intel graphics driver is also credited to Google’s project zero. According to the release notes, multiple vulnerabilities existed in the Intel graphics driver, the most serious of could lead to arbitrary code execution with system privileges.

Another six CVE’s were reported to Apple from another of Google security groups, this time the Google Security Team. Among its catches are a bug in the kernel: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content.

The security update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1. You can read the full details here: http://support.apple.com/en-us/HT1222

Since iOS and OS X share much of the same code (certainly at the lower levels), Apple also released an update to its mobile operating system with many of the same fixes. The iOS update addresses 33 different CVEs and fixes some of the same vulnerabilities from Google’s Project Zero. You can read more about iOS 8.1.3 here: http://support.apple.com/kb/HT204245

Like iOS, Apple TV also uses lots of the same core technologies as OS X. In response to Google’s disclosures and in the light of other security issues, Apple has released Apple TV 7.0.3. It addresses 29 different CVEs including the disclosed problems with XPC: Multiple type confusion issues existed in networkd’s handling of interprocess communication. By sending a maliciously formatted message to networkd, it could be possible to execute arbitrary code as the networkd process.

To round off this huge security update, Apple has also updated Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 on OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 to fix a series of memory issues with WebKit. If exploited these vulnerabilities could allow an attacker to run arbitrary code on a victim’s Mac, if tricked into visiting a maliciously crafted website.

Apple has also updated its web plug-in blocking mechanism to disable all versions prior to Flash Player 16.0.0.296 and 13.0.0.264.

(LiveHacking.Com) – Google recently came under some heavy criticism when it disclosed a zero-day vulnerability in Windows just days before Microsoft was scheduled to release a fix. Now the search giant as done it again. But this time Google shows that it is truly non-partisan because the disclosures aren’t for Windows, but for OS X.

The first vulnerability allows an attacker to pass arbitrary commands to the networkd OS X system daemon in XPC messages. XPC provides a lightweight mechanism for basic interprocess communication. The problem is that the daemon uses the values from xpc_dictionary_get_value and xpc_array_get_value without subsequent checking of the type of the returned value. Google posted proof-of-concept (POC) code that allows a shell command to be executed as networkd on OS X 10.9.5. The POC uses a specially crafted XPC message which results in “touch /tmp/hello_networkd” being executed. That is a benign command, but it can be replaced with something more malicious.

The second vulnerability in IOKit IOService allows an attacker to execute code on an OS X machine with root privileges through a null pointer dereferencing. The third flaws also relates to IOKit, this time in the Bluetooth subsystem. To exploit it the machine needs to have a Bluetooth device attached, for example a Apple Bluetooth keyboard. Once exploited it allows an attacker to write into kernel memory, potentially allowing them to create a denial of service situation or to access private data.

The security flaws were reported to Apple in October 2014. All three advisories were subsequently published by Google after the expiration of the 90-day grace period give under Project Zero.

(LiveHacking.Com) – Apple has released a patch for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 to update the included NTP server to fix the recently disclosed vulnerabilities. The standard, open source Network Time Protocol (NTP) daemon (ntpd) contains multiple vulnerabilities which were publicly disclosed a few days ago. The vulnerabilities not only affect OS X, but also other Unix-type operating systems like Linux and FreeBSD.

ntpd version 4.2.7 and before, have several to buffer overflow issues. If exploited they could allow malicious code to be executed. Also, ntp-keygen prior to version 4.2.7p230 has been found to use a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities affect ntpd acting as a server or client.

The full list of vulnerabilities is as follow:

CWE-332 – If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338 – ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121 – A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of thentpd process.

CWE-389 – A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

Apple’s release notes state that “a remote attacker may be able to execute arbitrary code” due to the vulnerabilities. The security bulletin goes on to say that “Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.”

You can read more about APPLE-SA-2014-12-22-1 here and you can read CERT’s note on the issue here. You can download the latest (patched) version of NTP from here.

(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)

iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)

iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)

iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)

iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)

The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)

A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the moniker given to a flaw in the SSL 3.0 protocol. SSL 3.0 is considered old and obsolete. It has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2. However many system still support SSL 3.0 for compatibility reasons. Many systems retry failed secure connections with older protocol versions, including SSL 3.0. This means that a hacker can trigger the use of SSL 3.0 and try to exploit POODLE.

The vulnerability only exists when the SSL 3.0 cipher suite uses a block cipher in CBC mode. As a result, Apple has disabled CBC cipher suites when TLS connection attempts fail in iOS 8.1.

Apple also fixed a flaw would could allow a malicious Bluetooth device to bypass pairing. According to Apple, “unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.”

With the recent spate of leaked celebrity photos, Apple’s iCloud service has remained under the spotlight. According to Apple a flaw has been fixed which could allow an attacker in a privileged network position to force iCloud data access clients to leak sensitive information. The problem is connected with a TLS certificate validation vulnerability that existed in the iCloud data access clients on previous versions of iOS.

Apple TV 7.0.1

The update to Apple TV is smaller than the changes to iOS, however just as significant. Like the iOS 8.1 release, Apple TV 7.0.1 denies unencrypted HID connections to block malicious Bluetooth input devices that try to bypass pairing. iOS 8.1 also disables CBC cipher suites when TLS connection attempts fail, this is needed to stop hackers trying to exploit the POODLE flaw in SSL 3.0.

Apple TV will periodically check for software updates and will install the update on the next check. However if you want to manually check for software updates go to “Settings -> General -> Update Software”.

(LiveHacking.Com) – Along side the release of the iPhone 6 and iPhone 6 Plus Apple has also released a new version of its mobile operating system. iOS 8 includes improvements to Siri and the ability for third parties to add widgets to the notification area. Apple are calling it “huge for developers, massive for everyone else.” iOS 8 also includes some important security fixes. Overall Apple addressed 56 unique CVEs in this release.

Among the changes are fixes for bugs which could allow an attacker with access to an iOS device to access sensitive user information from logs, allow a local attacker to escalate privileges and install unverified applications, and fixes for bugs that allow some kernel hardening measures may be bypassed.

Other fixes include a patch to stop maliciously crafted PDF files that can allow an attacker to run arbitrary code, and a patch to stop malicious applications executing arbitrary code with system privileges. Most of these issues revolve around NULL pointer dereferencing and bounds checking. For example an out-of-bounds read issue existed in the handling of an IOHIDFamily function. As a result, a malicious application may be able to read kernel pointers and then bypass kernel address space layout randomization. According to Apple’s release notes, “this issue was addressed through improved bounds checking.” A phrase that is found several times in Apple’s document that describes the security content of iOS 8.

Webkit, the open source HTML rendering engine used by Apple, also received a lot of patches (12 in total). According to Apple visiting a maliciously crafted website in previous versions of iOS may lead to an unexpected application termination or arbitrary code execution. This was because of multiple memory corruption issues in WebKit. These issues were addressed through improved memory handling.

As well as releasing iOS 8, Apple also released new versions of OS X, OS X Server, Safari, and Apple TV. These are all maintenance releases which fix bug and patch security vulnerabilities. The full list of updates including links to the relevant security information follows:

(LiveHacking.Com) – Reports are starting to emerge that Apple has patched a weakness in its ‘Find My iPhone’ service that could have been used by hackers to steal private photos of nearly 100 Hollywood celebrities. Over the weekend an anonymous hacker posted revealing pictures of nearly 100 celebrities including Oscar-winning Hunger Games actress Jennifer Lawrence, as well as personal photos belonging to Kim Kardashian, Kate Upton, Kirsten Dunst and many others. It is thought that the hacker stole the photos from Apple’s iCloud storage system.

The breach is being linked with a new hacking tool which was recently uploaded to GitHub called “ibrute.” The tool relied on the fact that Apple did not use any brute force protection in its ‘Find My iPhone’ service API. This meant that a script (like ibrute) could be used to try and crack Apple passwords by brute force (i.e. by trying thousands of passwords in rapid succession). The ibrute tool used the top 500 passwords from the RockYou leaked passwords. The RockYou list includes passwords which satisfy Apple’s password policy.

Apple requires its users to create passwords with a minimum of 8 characters that do not contain more than 3 consecutive identical letters, and include a number, an uppercase letter, and a lowercase letter. The top passwords from the RockYou list which satisfies these conditions are: Password1, Princess1, P@ssw0rd, Passw0rd and Michael1.

iCloud is part of Apple’s ecosystem that automatically uploads photos taken with an iPhone to the cloud. From here the photos can be seen on other Apple devices owned by the account holder. iCloud also acts as a form of backup so if a device is lost or broken the photos are still available. The problem is that some people don’t realize that their photos are being sent automatically to Apple’s servers and the only thing stopping others from viewing those photos is their password, which isn’t much protection at all if the user has set a password like Password1 and so on.

(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.

Apple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.

A format string issue existed in the CoreServicesUIAgent’s handling of URLs.

A buffer underflow existed in the handling of fonts in PDF files.

A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.

A buffer overflow issue existed in ImageIO’s handling of JPEG images.

A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.

A set of kernel pointers stored in an IOKit object could be retrieved from userland.

A kernel pointer stored in a XNU object could be retrieved from userland.

If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.

An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.

A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.

WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.